Document the Scene

Previous page
Table of content
Next page

The most important aspect in the entire field of computer forensics is documentation. In addition to documenting one's own activities, the entire scene must be documented before processing of the scene can take place. All scene documentation is best done with a team of two individuals: one individual to perform any processing of the scene and a second individual solely responsible for documenting the evidence found. The documentation can be in a general computer forensics logbook, or in the case of larger investigations, a logbook dedicated to that specific investigation.

In addition to cataloging to provide a written record of all potential items of evidence, the scene itself should be photographed prior to any actions. If a forensic photographer is available, allow her to photograph the entire scene. If one is not available, the analyst may need to use a time-stamped camera, either digital or film. Start with a few shots of the entire scene for overall layout. Follow with close-ups of each piece of evidence. Note cards bent in half make nice, inexpensive labels for purposes of photographing evidence locations.

Even if a professional forensic photographer is available, the analyst might have to assist her in identifying what to photograph from a digital perspective. Items that require special attention in a computer investigation include:

  • Computer screens. Photograph the current screen with a still camera with a high enough resolution to read text if necessary.

  • Network connections. Any network or phone cables going to or from the computer should have close-up shots taken of them. Both ends of every cable should be photographed in the event that the analyst has to prove that a computer was connected to a specific network or phone line when he arrived.

  • Peripheral connections. Connections to peripherals should likewise be shot in close-up for later reassembly and proof of connection.

Tip 

Do not use a video camera to photograph a computer screen. Because of differences in the sampling rate of the camera and the refresh rate of the screen, images may not be properly viewable.

When in doubt, take additional pictures. It is impossible to go back and do so later. After all, even the location of the mouse can prove significant; it may help to show that a left-handed person was the last user .


Previous page
Table of content
Next page
Windows Forensics. The Field Guide for Corporate Computer Investigations
Windows Forensics: The Field Guide for Corporate Computer Investigations
ISBN: 0470038624
EAN: 2147483647
Year: 2006
Pages: 71
Authors: Chad Steel
BUY ON AMAZON
ERP and Data Warehousing in Organizations: Issues and Challenges
Software Configuration Management
Professional Java Native Interfaces with SWT/JFace (Programmer to Programmer)
Building Web Applications with UML (2nd Edition)
Service-Oriented Architecture (SOA): Concepts, Technology, and Design
FileMaker 8 Functions and Scripts Desk Reference
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy